Reproducible builds #1264
Comments
|
If you are suggesting to setup an own F-Droid repository: No, i have answered this already on help.nextcloud.com.
This requires still waiting for an index update of F-Droid. The build time itself is not the issue, but the time of the index update. Therefore this will not speed up the rollout of the app on F-Droid. Am i missing something here? |
No, AFAIK, one could install the app from F-Droid, and then switch to the installed app from your source (if it is no F-Droid repo, even a simple APK attached at GitHub releases would be sufficient e.g.). The advantage then is testers could just get your APK before it is built by F-Droid, as it is signed with the same key. |
|
I don't fully understand - even if F-Droid would accept a build of mine as equal and ship it, Android would prevent one from installing it over an already installed version due to a signing key mismatch...?
In fact it isn't the same key though, is it? - F-Droid signs with its own key, while apk files build by me are signed with my key, even if the builds are the same... |
|
You sign it with your own key, F-Droid builds the same binary and verifies it is identical and if so,. distributes your binary. I hightly suggest reading https://f-droid.org/en/docs/Reproducible_Builds/, especially the “How it is implemented as of now” part. Edit: FYI here is e.g. an example reproducible build AFAIK, from admin-ch/CovidCertificate-App-Android#40 (comment) |
|
So what exactly needs to be done on our side? As far as i understand, we would need to setup a production build pipeline (currently only dev build) which would require us to place the signing key on as a variable on the CI runner (GitHub in this case). Am i missing something? Don't get me wrong, reproducible builds are a fine thing, though i can't see how we should solve this predicament... |
Hmm, you don't need to do that? But I can also point to the FAQ and docs above and am no expert here. Maybe @IzzySoft can help? |
|
Sorry, but I can't – I'm not a dev and not familiar with how to set up reproducible builds. |
|
Well i read the docs but i need more exact instructions regarding the steps to do. "Build your APK locally and upload it anywhere the F-Droid server can find it" is unfortunately not preceise enough for me to get this done... |
|
Ah, that part I can answer. Let me cut it into pieces:
Does that help? |
Please use GitHub reactions 👍 to show that you are affected by the same issue. Please don't comment if you have no relevant information to add!
Is your feature request related to a problem? Please describe.
Faster updates from a trusted F-Droid repository.
And reproducible builds are also very good for security reasons: See https://reproducible-builds.org/.
#1256 (comment)
Technically you could if the builds are reproducible you can sign both the same APK with your key and F-Droid just distributes that.
Describe the solution you'd like
F-Droid's reproducible builds.
Describe alternatives you've considered
Additional context
The people at CCTG and Signal (IIRC) e.g. made it work, so you can built on their experience: https://codeberg.org/corona-contact-tracing-germany/cwa-android/src/branch/main/docs/rebuilding.md
It's basically a Docker image with F-Droids buildserver.
Note: Yes, I know it's likely not easy to setup, but it is a good idea for the future. 😊
The text was updated successfully, but these errors were encountered: